BNM's Push for Cyber Resilience — What It Means for Malaysian Businesses

Bank Negara Malaysia (BNM) and CyberSecurity Malaysia have signed a Memorandum of Understanding (MoU) to strengthen cyber resilience across the financial sector. This collaboration signals a clear message: cybersecurity in Malaysia's financial ecosystem is being elevated from a compliance checkbox to a strategic national priority.

For businesses operating in or alongside the financial sector, this MoU has practical implications that extend far beyond the banks themselves.

What the BNM-CyberSecurity Malaysia MoU Covers

The MoU establishes formal cooperation between the central bank and the national cybersecurity agency across several areas:

• Threat intelligence sharing — Real-time exchange of cyber threat information between financial regulators and the national cybersecurity apparatus
• Incident response coordination — Joint protocols for responding to cyber incidents that affect financial stability
• Capacity building — Collaborative training programmes and knowledge exchange
• Assessment frameworks — Aligned cybersecurity assessment standards for the financial sector
• Research and development — Joint initiatives on emerging threats and defensive technologies

This is not a symbolic gesture. It represents the integration of Malaysia's financial regulatory framework with its national cybersecurity strategy.

Understanding BNM's RMiT Framework

The foundation of BNM's cybersecurity expectations is the Risk Management in Technology (RMiT) framework, first issued in 2020 and progressively updated since. RMiT applies to all licensed financial institutions, including:

• Banks and Islamic banks
• Insurance companies and takaful operators
• Payment system operators
• E-money issuers
• Digital banks
• Development financial institutions

Key RMiT Requirements

RMiT mandates that financial institutions:

1. Establish a Technology Risk Management Framework — Board-level oversight, clear accountability, and documented risk appetite for technology and cybersecurity
2. Maintain Cyber Resilience — Not just prevention, but the ability to detect, respond to, and recover from cyber incidents
3. Conduct Regular Testing — Vulnerability assessments, penetration testing, and red team exercises at prescribed frequencies
4. Manage Third-Party Risks — Due diligence, contractual controls, and ongoing monitoring of all technology service providers
5. Ensure Data Protection — Controls for data classification, encryption, access management, and data loss prevention
6. Report Incidents Promptly — Notification to BNM within prescribed timeframes (typically 1 hour for critical incidents)
7. Maintain Business Continuity — Tested disaster recovery and business continuity plans with defined recovery objectives

What This Means for Fintechs

If you operate a fintech company in Malaysia — whether you hold a licence or are pursuing one — RMiT compliance is not optional. BNM has made it clear that digital-first financial services face the same cybersecurity expectations as traditional banks.

For fintechs, this means:

• Security must be designed in from day one — Retrofitting security is far more expensive than building it correctly
• Compliance costs are real — Budget for security testing, monitoring tools, incident response capabilities, and skilled personnel
• Board accountability is required — Founders and directors must demonstrate active oversight of cybersecurity risk
• Third-party risk extends to your vendors — Every API integration, cloud provider, and outsourced function must be assessed

The Trickle-Down Effect on SME Suppliers

Here is where it gets relevant for businesses that are not themselves financial institutions.

When BNM raises the bar for banks and fintechs, those organisations immediately push the same requirements down to their vendors, suppliers, and service providers. This is the third-party risk management requirement in action.

If your business provides any of the following to a financial institution, you will increasingly face cybersecurity requirements in your contracts:

• IT services and support
• Cloud hosting or SaaS platforms
• Software development
• Data processing or analytics
• Payment gateway services
• Marketing technology that handles customer data
• Office productivity and communication tools
• Physical security systems with network connectivity

What Banks Now Expect from Their Vendors

Financial institutions are now routinely requiring their SME suppliers to:

• Demonstrate basic cybersecurity controls (access management, encryption, patching)
• Submit to security assessments or provide independent audit reports
• Maintain cyber liability insurance
• Sign data processing agreements with specific security clauses
• Report any security incidents that could affect the bank's data or systems
• Maintain business continuity and disaster recovery plans

If your business cannot demonstrate these capabilities, you may find yourself excluded from financial sector contracts — or required to invest rapidly to catch up.

How to Align with BNM's Cybersecurity Expectations

Whether you are a regulated entity or a supplier to one, here are practical steps to align your business with the direction BNM is setting:

1. Conduct a Gap Assessment

Measure your current cybersecurity posture against a recognised framework. ISO 27001, the NIST Cybersecurity Framework, or CyberSecurity Malaysia's Cyber Security Trustmark all provide structured approaches. Identify your gaps honestly.

2. Implement Foundational Controls

Focus on the essentials first:

• Multi-factor authentication on all systems
• Regular patching and vulnerability management
• Network segmentation and monitoring
• Encrypted communications and data storage
• Documented access control policies
• Regular backup and tested recovery procedures

3. Formalise Your Incident Response

Write, test, and maintain an incident response plan. Financial institutions will ask if you have one. BNM requires their licensees to ensure their vendors can respond effectively to security incidents.

4. Document Everything

Compliance is not just about doing the right things — it is about proving you do them. Maintain records of security assessments, training sessions, incident reports, and policy reviews. When a bank audits your security, you need documentation ready.

5. Invest in Your People

Technical controls are only as effective as the people operating them. Regular security awareness training for all staff, and specialised training for IT teams, is a cost-effective way to reduce risk significantly.

6. Plan for Continuous Improvement

Cybersecurity is not a project with an end date. Build a cycle of assess, implement, test, and improve. Schedule quarterly reviews of your security posture and annual updates to your policies.